CVE-2026-46448
published 2026-06-16CVE-2026-46448: In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
PriorityP349high8.5CVSS 3.1
AVNACLPRLUINSCCNILAH
EPSS
0.27%
18.9th percentile
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openstack | nova | >= 18.0.0 < 31.3.1 | 31.3.1 |
| openstack | nova | 18.0.0 – 31.3.0 | — |
| openstack | nova | >= 32.0.0 < 32.2.1 | 32.2.1 |
| openstack | nova | >= 32.0.0 < 32.2.1 | 32.2.1 |
| openstack | nova | >= 33.0.0 < 33.0.2 | 33.0.2 |
| openstack | nova | 33.0.0 – 33.0.1 | — |
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
ghsa5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
ghsa·2026-06-16·CVSS 5.4
CVE-2026-46448 [MEDIUM] CWE-669 OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
## Affects
- Nova: >=18.0.0 =32.0.0 =33.0.0 <33.0.2
## Description
Erichen from the Institute of Computing Technology, Chinese Academy of
Sciences reported that Nova's server create API does not strip internal
scheduler hints. An authenticated user can bypass Placement resource
claims and scheduling constraint enforcement, including availability
zone, host aggregate, and image trait restrictions. The resulting
instance has no Placement allocation, which can lead to compute node
resource exhaustion and cross-tenant data persistence on NVMe devices
after instance deletion. Deployments running Nova 18.0.0 or later are
affected.
## Patches
- https://review.opendev.org/993604 (2025
VulDB
OpenStack Nova up to 31.3.0/32.2.0/33.0.1 Server Create API resource transfer (EUVD-2026-37218)
vuldb·2026-06-16·CVSS 5.4
CVE-2026-46448 [MEDIUM] OpenStack Nova up to 31.3.0/32.2.0/33.0.1 Server Create API resource transfer (EUVD-2026-37218)
A vulnerability, which was classified as critical, has been found in OpenStack Nova up to 31.3.0/32.2.0/33.0.1. Affected by this issue is some unknown functionality of the component Server Create API. This manipulation causes incorrect resource transfer.
The identification of this vulnerability is CVE-2026-46448. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
Red Hat
openstack-nova: OpenStack Nova: Resource allocation issue due to unstripped hint data in server creation API
vendor_redhat·2026-06-16·CVSS 5.4
CVE-2026-46448 [MEDIUM] CWE-1173 openstack-nova: OpenStack Nova: Resource allocation issue due to unstripped hint data in server creation API
openstack-nova: OpenStack Nova: Resource allocation issue due to unstripped hint data in server creation API
In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.
A flaw was found in OpenStack Nova. The server creation application programming interface (API) fails to remove specific hint data, leading to instances being created without proper Placement allocation. This can result in a denial of service, as resources may not be correctly assigned or managed for the affected instances.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread install
No detection rules found.
No public exploits indexed.
2026-06-16
Published